Overview

overview

10

Static

static

7

CSHacksFre...ks.exe

windows7-x64

1

CSHacksFre...ks.exe

windows10-2004-x64

1

Covid18.exe

windows7-x64

10

Covid18.exe

windows10-2004-x64

10

Covid20.exe

windows7-x64

7

Covid20.exe

windows10-2004-x64

7

Covid21 2.0.exe

windows7-x64

8

Covid21 2.0.exe

windows10-2004-x64

8

Covid666.exe

windows7-x64

Covid666.exe

windows10-2004-x64

CrazyPos.exe

windows7-x64

1

CrazyPos.exe

windows10-2004-x64

1

CrazyText.exe

windows7-x64

1

CrazyText.exe

windows10-2004-x64

1

Cronic.exe

windows7-x64

1

Cronic.exe

windows10-2004-x64

1

country.exe

windows7-x64

1

country.exe

windows10-2004-x64

1

Analysis

  • max time kernel
    1800s
  • max time network
    1167s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06-03-2024 18:35

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Covid20.exe

  • Size

    4.8MB

  • MD5

    fde53eb92140afb22152cfa283ef26cc

  • SHA1

    b975f240e69307f809e54fabf6ea547183edf130

  • SHA256

    56c6b80e9f525e9010b47112f8085751e8e3fb744e111df3330b481df6a7e954

  • SHA512

    df5eaa0e429e618d7c94eab0dd6021d774abe50ad2d200d3608d1d1c50b70e65eccff564baa2fd2b86a5dad999ff7edb04152ac5cbff209fae7d93c329dff771

  • SSDEEP

    98304:i1EB4Av3kOW561R4+8QxEmKDxUmEhc0R2lIP9W0uJPg4dWzN/ODIw9AtVje7gQ:EEi4z1R4+LKDPEK0RBFduJ44dWpiHAtM

Score
7/10
aspackv2ransomwareupx

Malware Config

Signatures

  • ASPack v2.12-2.42 1 IoCs

    Detects executables packed with ASPack v2.12-2.42

    aspackv2
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 1 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Covid20.exe
    "C:\Users\Admin\AppData\Local\Temp\Covid20.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:1560
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\706D.tmp\covid.bat" "
      2⤵
      • Checks computer location settings
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:3940
      • C:\Users\Admin\AppData\Local\Temp\706D.tmp\CLWCP.exe
        clwcp c:\covid20\bg.bmp
        3⤵
        • Executes dropped EXE
        • Sets desktop wallpaper using registry
        PID:2300
      • C:\Users\Admin\AppData\Local\Temp\706D.tmp\flasher.exe
        flasher 5 c:\covid20\covid.bmp
        3⤵
        • Executes dropped EXE
        PID:1508
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\706D.tmp\corona.vbs"
        3⤵
        • Suspicious behavior: GetForegroundWindowSpam
        PID:3964
  • C:\Windows\system32\rundll32.exe
    "C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe
    1⤵
      PID:2624
    • C:\Windows\System32\svchost.exe
      C:\Windows\System32\svchost.exe -k UnistackSvcGroup
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:3156

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\706D.tmp\CLWCP.exe
      Filesize

      505KB

      MD5

      e62ee6f1efc85cb36d62ab779db6e4ec

      SHA1

      da07ec94cf2cb2b430e15bd0c5084996a47ee649

      SHA256

      13b4ec59785a1b367efb691a3d5c86eb5aaf1ca0062521c4782e1baac6633f8a

      SHA512

      8142086979ec1ca9675418e94326a40078400aff8587fc613e17164e034badd828e9615589e6cb8b9339da7cdc9bcb8c48e0890c5f288068f4b86ff659670a69

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\706D.tmp\bg.bmp
      Filesize

      13.5MB

      MD5

      a0f275286beee5fc80ffb53af50569b9

      SHA1

      846386be992c5edac72834836c5c7520eff4283e

      SHA256

      d0988fd55ed861cc8346ea4a3b710fab9bc8a872291efe871128ae6017441628

      SHA512

      6fab39744c690003d1169da957cbe50ad7101cb7b11a60b3161a81ecb23bed0236e9b4d8371dab1865203ce9bc544b63220d58bbc4b5199ac2f17404ea6cd336

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\706D.tmp\corona.vbs
      Filesize

      130B

      MD5

      e61624dced063c4ba5352bf487f12410

      SHA1

      40bd08928900cd97f444ffaa78d93dcaf913b274

      SHA256

      82ac48c4f7edbab182aa0a8c320d5616ccdd2f0e83dc733b91e45521f85462a3

      SHA512

      2a27db12d2af35e7b51a307eb8860800075867922d3d63a69da608c96bec045f3c64ac757674d2a40d7f4d9e55179fc2bddc17691919e18e109a5d4669c607ac

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\706D.tmp\covid.bat
      Filesize

      445B

      MD5

      b08e02e536917f897acb2d21f42f0a97

      SHA1

      a078f1addfd3eeb0f0cb5fd206ff78e9dc0f3e45

      SHA256

      2c68caeada2c251c5fc12694b7288a5790114ced4142867179e75d313efaa50c

      SHA512

      1d1901c3c676bb6d99a39d1a0bab1a6ee378090390bb5e7fe66cf754b8dd772ac0b79ba1215fa758445db1deac200afcc5e1e1e32b2562df946c82b530ca95ab

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\706D.tmp\covid.bmp
      Filesize

      147KB

      MD5

      738bbd119d8877f8342e1ff00fe60dff

      SHA1

      fc11d85e3c5b46bd877e06985fec1a601ce396ed

      SHA256

      548c9e22a04650efec06a0414d205d24600e08e0fac1beed7e8b4c03730962bb

      SHA512

      f7a12c9a1403c9a1953387c5871d6e7865ba80c405f37c51f5c3e093bab9235b8a8ba62ad8b27f2079407e9672d47ac365c9cb08033ef349bd8c9906a30fefad

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\706D.tmp\flasher.exe
      Filesize

      246KB

      MD5

      9254ca1da9ff8ad492ca5fa06ca181c6

      SHA1

      70fa62e6232eae52467d29cf1c1dacb8a7aeab90

      SHA256

      30676ad5dc94c3fec3d77d87439b2bf0a1aaa7f01900b68002a06f11caee9ce6

      SHA512

      a84fbbdea4e743f3e41878b9cf6db219778f1479aa478100718af9fc8d7620fc7a3295507e11df39c7863cb896f946514e50368db480796b6603c8de5580685a

      Download Submit

    • memory/1508-50-0x0000000000400000-0x00000000004A4000-memory.dmp

      Filesize

      656KB

      Download

    • memory/1508-39-0x0000000002100000-0x0000000002101000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1508-33-0x0000000002100000-0x0000000002101000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1508-37-0x0000000000400000-0x00000000004A4000-memory.dmp

      Filesize

      656KB

      Download

    • memory/1508-38-0x0000000000400000-0x00000000004A4000-memory.dmp

      Filesize

      656KB

      Download

    • memory/1560-34-0x0000000000400000-0x0000000001A7B000-memory.dmp

      Filesize

      22.5MB

      Download

    • memory/1560-0-0x0000000000400000-0x0000000001A7B000-memory.dmp

      Filesize

      22.5MB

      Download

    • memory/2300-36-0x0000000000400000-0x0000000000484000-memory.dmp

      Filesize

      528KB

      Download

    • memory/2300-29-0x0000000002210000-0x0000000002211000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3156-51-0x0000012EC9140000-0x0000012EC9150000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3156-67-0x0000012EC9240000-0x0000012EC9250000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3156-83-0x0000012ED15B0000-0x0000012ED15B1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3156-85-0x0000012ED15E0000-0x0000012ED15E1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3156-86-0x0000012ED15E0000-0x0000012ED15E1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3156-87-0x0000012ED16F0000-0x0000012ED16F1000-memory.dmp

      Filesize

      4KB

      Download